Commit Graph

2279 Commits

Author SHA1 Message Date
rajasec 039d25c341 Added error check in Getfilecon
Signed-off-by: rajasec <rajasec79@gmail.com>

Fixed review comments

Signed-off-by: rajasec <rajasec79@gmail.com>

Fixed review comments for adding length check

Signed-off-by: rajasec <rajasec79@gmail.com>

Fixed review comment

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-24 17:37:28 +05:30
Mrunal Patel 15b6b24413 Merge pull request #568 from mrunalp/move_hooks
Move pre-start hooks after container mounts
2016-02-24 10:07:32 +05:30
Michael Crosby fc98958321 Remount /dev as ro after it is populated
Because we more than likely control dev and populate devices and files
inside of it we need to make sure that we fulfil the user's request to
make it ro only after it has been populated.  This removes the need to
expose something like ReadonlyPaths in the config but still have the
same outcome but more seemless for the user.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-23 13:56:01 -08:00
Mrunal Patel 2f27649848 Move pre-start hooks after container mounts
Today mounts in pre-start hooks get overriden by the default mounts.
Moving the pre-start hooks to after the container mounts and before
the pivot/move root gives better flexiblity in the hooks.

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-23 02:50:35 -08:00
Mrunal Patel 2c3115481e Merge pull request #583 from crosbymichael/delete
Make sure container is destroyed on error
2016-02-23 13:30:19 +05:30
Michael Crosby 4bc25aaea1 Make sure container is destroyed on error
Even in the detach usecase we need to make sure that the contianer is
destroyed if there is an error starting the container or anywhere in
that workflow.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-22 15:34:41 -08:00
Mrunal Patel 5204301d1b Merge pull request #571 from mikebrow/runc-list-format-options
adding --format json to list command
2016-02-20 10:16:06 +05:30
Michael Crosby ee6a72df4e Merge pull request #577 from crosbymichael/m-named-cgroup
Move the process outside of the systemd cgroup
2016-02-19 13:51:58 -08:00
Michael Crosby 47f16e89df Move the process outside of the systemd cgroup
If you don't move the process out of the named cgroup for systemd then
systemd will try to delete all the cgroups that the process is currently
in.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-19 11:26:46 -08:00
Mike Brown 160daf293e adding --format json to list command
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-02-18 22:07:04 -06:00
Mrunal Patel 0107c7fb6c Merge pull request #573 from LK4D4/fix_dash_cgroup
Look for " - " instead of just - as separator
2016-02-19 08:57:39 +05:30
Andrew Vagin b8121e8998 checkpoint: call Prestart hooks on restore before restoring processes
Docker uses Prestart hooks to call a libnetwork hook to create
network devices and set addesses and routes.

Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
2016-02-19 02:40:26 +03:00
Andrew Vagin 46c25be297 checkpoint: add support of the EmptyNs criu option
This options is set a namespace mask which will not be dumped and restored.
For example, we are going to use this option to restore network
for docker containers. CRIU will create a network namespace and
call a libnetwork hook to restore network devices, addresses and routes.

Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
2016-02-19 02:40:26 +03:00
Andrew Vagin a2a771b8e2 libcontainer: update criurpc.proto
Signed-off-by: Andrew Vagin <avagin@virtuozzo.com>
2016-02-19 02:38:02 +03:00
Michael Crosby e28cfafa6d Merge pull request #567 from rajasec/tty-remove
Removing tty0 tty1 from allowed devices
2016-02-18 13:56:32 -08:00
Alexander Morozov 98cbce80fb Look for " - " instead of just - as separator
- symbol can appear in any path

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2016-02-18 09:58:29 -08:00
Alexander Morozov 488e315c21 Merge pull request #570 from crosbymichael/tty-nil
Check if tty is nil in handler
2016-02-17 13:37:21 -08:00
Michael Crosby 546af43fbc Check if tty is nil in handler
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-02-17 13:20:22 -08:00
Alexander Morozov 382880b250 Merge pull request #569 from mlaventure/fix-cgroupspath-as-cgroupsparent
Fix CgroupsPath interpretation
2016-02-17 12:54:51 -08:00
Kenfe-Mickael Laventure 3ceff76f64 Fix CgroupsPath interpretation
When CgroupsPath code was introduced with #497 it was mistakenly made
to act as the equivalent of docker CgroupsParent. This ensure that it
is taken as the final cgroup path.

A couple of unit tests have been added to prevent future regression.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-17 08:33:46 -08:00
Mrunal Patel 90472aeb9e Merge pull request #546 from mikebrow/usage-updates
updating usage for runc, and all runc commands that now use <container id> as the first argument
2016-02-17 21:13:22 +05:30
Mike Brown f4e37ab63e updating usage for runc and runc commands
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-02-17 09:00:39 -06:00
Mike Brown 80495833ae adding format options to list command
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2016-02-17 08:46:06 -06:00
Mrunal Patel 2c489ce2d9 Merge pull request #564 from hallyn/2016-02-16/userns.devicecg
Do not set devices cgroup entries if in a user namespace
2016-02-17 09:25:24 +05:30
Serge Hallyn 655f8ea808 Do not set devices cgroup entries if in a user namespace
When in a non-initial user namespace you cannot update the devices
cgroup whitelist (or blacklist).  The kernel won't allow it.  So
detect that case and don't try.

This is a step to being able to run docker/runc containers inside a user
namespaced container.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2016-02-16 19:39:43 -08:00
Mrunal Patel d854d8fcc2 Merge pull request #553 from cyphar/fix-pids-limit-tests
libcontainer: integration: fix flaky pids limit tests
2016-02-17 08:36:05 +05:30
Mrunal Patel a86e44cf8f Merge pull request #556 from hqhq/hq_remove_unneeded_cleanup
Remove unneeded cgroups path removal
2016-02-17 08:31:35 +05:30
Michael Crosby ce72f86a2b Merge pull request #558 from rajasec/tty-panic
panic during start of failed detached container
2016-02-16 16:01:08 -08:00
Alexander Morozov 8ce2413986 Merge pull request #563 from mlaventure/notty-detach-panic
Prevent a panic when container fails to start
2016-02-16 15:22:50 -08:00
Kenfe-Mickael Laventure b011f80451 Prevent a panic when container fails to start
This occurs when the container was requested to be started in detached
mode and without a tty.

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-02-16 15:18:49 -08:00
Alexander Morozov 533ee4d688 Merge pull request #557 from mrunalp/nonewprivs
Add support for NoNewPrivileges
2016-02-16 11:18:02 -08:00
Michael Crosby 4f33b03703 Merge pull request #561 from rajasec/kcore-link
Change softlink name to /dev/core
2016-02-16 11:03:37 -08:00
Michael Crosby 15eb206d76 Merge pull request #562 from cloudfoundry-incubator/avoid-sigchld-hang
Register signal handlers earlier to avoid zombies
2016-02-16 10:55:20 -08:00
Michael Crosby 2b0a53b9a4 Merge pull request #552 from cyphar/fix-cgroup-path
libcontainer: cgroups: fs: fix innerPath
2016-02-16 10:41:44 -08:00
Julian Friedman 5fbdf6c3fc Register signal handlers earlier to avoid zombies
newSignalHandler needs to be called before the process is started, otherwise when
the process exits quickly the SIGCHLD is recieved (and ignored) before the
handler is set up. When this happens the reaper never runs, the
process becomes a zombie, and the exit code isn't returned to the user.

Signed-off-by: Julian Friedman <julz.friedman@uk.ibm.com>
2016-02-16 18:38:54 +00:00
Alexander Morozov c6d18308b8 Merge pull request #526 from hqhq/hq_remove_procStart
Remove procStart
2016-02-16 09:12:04 -08:00
Mrunal Patel af400b90c3 Hook up the support to the OCI specification config
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-16 06:57:51 -08:00
Mrunal Patel 38b39645d9 Implement NoNewPrivileges support in libcontainer
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-16 06:57:50 -08:00
Mrunal Patel e898a30e34 Merge pull request #560 from chenchun/fix_valid_dest
It's /proc/stat, not /proc/stats
2016-02-16 17:44:14 +05:30
Mrunal Patel 61bfcfd82a Add libcontainer configuration for NoNewPrivileges
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-02-16 03:59:43 -08:00
Chun Chen 2ee9cbbd12 It's /proc/stat, not /proc/stats
Also adds /proc/net/dev to the valid mount destination white list

Signed-off-by: Chun Chen <ramichen@tencent.com>
2016-02-16 15:59:27 +08:00
rajasec b3661f4115 Removing tty0 tty1 from allowed devices
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-16 11:21:00 +05:30
rajasec 4cd31f63c5 Change softlink name to /dev/core
Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-15 17:52:19 +05:30
Qiang Huang bda7742019 Cleanup systemd apply
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-02-15 15:56:59 +08:00
Qiang Huang 7b88f34d6e Remove unneeded cgroups path removal
It's handled in `destroy()`, no need to do this in
`Apply()`. I found this because systemd cgroup didn't
do this removal and it works well.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-02-15 11:22:13 +08:00
rajasec 321b842404 panic during start of failed detached container
Signed-off-by: rajasec <rajasec79@gmail.com>

Adding nil check before closing tty for restore operation

Signed-off-by: rajasec <rajasec79@gmail.com>
2016-02-14 19:11:09 +05:30
Aleksa Sarai 21dc85c4b8 libcontainer: cgroups: fs: add cgroup path safety unit tests
In order to avoid problems with security regressions going unnoticed,
add some unit tests that should make sure security regressions in cgroup
path safety cause tests to fail in runC.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Aleksa Sarai b8dc5213e8 libcontainer: cgroups: fs: fix path safety
Ensure that path safety is maintained, this essentially reapplies
c0cad6aa5e ("cgroups: fs: fix cgroup.Parent path sanitisation"), which
was accidentally removed in 256f3a8ebc ("Add support for CgroupsPath
field").

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Aleksa Sarai 90140a5688 libcontainer: cgroups: fs: fix innerPath
Fix m.Path legacy code to actually work.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
2016-02-14 00:37:21 +11:00
Michael Crosby 361f9b7921 Merge pull request #550 from rajasec/restoretty
Adding tty closure for restore operation
2016-02-11 10:27:58 -08:00